Here’s an interesting article for all those who’ve considered (or are) saving passwords in a database or file:
In short, don’t save a password, save its hash.
Xojo provides a tool for this in the Crypto module: PBKDF2. You should use that over just a hash.
Even better, implement a Security Through Obesity plan. Thom McGrath wrote up a nice summary here.
[quote=148043:@Peter Rodwell]Here’s an interesting article for all those who’ve considered (or are) saving passwords in a database or file:
In short, don’t save a password, save its hash.[/quote]
Peter, this is true but if you or anyone is considering storing a hash in a database, there is a lot more to this too. Read this article here this has been recommended to me by a few people and is a very well written article.
Also read this . Both very good articles.
It is a huge subject area with a lot of good and bad advice out there on the internet. All I can say is if you are dealing with other peoples information, guard it as you would your own child. Don’t be afraid to ask questions of other developers as you may find out more than you think.
One big tip that a lot of people overlook is collect minimal information from your users. You will find web forms often ask all sorts of information, age, date of birth, phone number etc etc, if you don’t need it don’t collect it. The less information you hold about individuals, the less information will be divulged when you get hacked.
On Mac save application keywords in keychain. Like this you can liberate the user from typing a password each time when something like an app with access to a database server is launched.
This is all true. I wasn’t saying that we should just do a simple hash and think we’re perfectly secure. It depends on the context. If you’re a bank, you have to take every possible precaution. If you’re just running a site for a few friends and don’t want the general public to have access, something simpler will probably do.
I couldn’t agree more! Collecting personal information (and presumably selling it) is a particularly noxious phenomenon, IMHO. Also cookies: am I the only person to be irritated by the increasing number of Web sites that insist on our enabling cookies for no apparent reason?
C’mon Peter, you know that the cookies are to allow them to improve our (ad tracking) experiences on their web sites :S
I keep two browsers - I use Safari for important stuff where I “should” allow cookies and then I use Chrome (with AdBlock installed) for general browsing and clear the cookies every time I close it.
Well, I see the need for cookies so I understand this. I would suggest in most cases cookies are nothing to worry about, the one that frustrates me is the Google tracking cookies but I am seriously anti Google so I am biased.
I would be more concern about “google Tracking code” which many internet web sites are using for google analytics.
i agree but again its only really used for targeted advertising, nothing more sinister.
If you really want to get paranoid about tracking you should install the Ghostery plug in for Safari. You will see that some Websites have a dozen or more tracking method installed. If you are inclined Ghostery can be configured to block them also.
I hadn’t heard of Ghostery before, I’ve been using DontTrackMe (now named Blur) and it does essentially the same thing. For a price they’ll even give you temporary phone and credit card numbers to use. (Much like PayPal used to have) Interesting that the Ghostery icon closely matches that of SnapChat
But back to the original topic, why isn’t that just common sense?
[quote=148045:@Kem Tekinay]Xojo provides a tool for this in the Crypto module: PBKDF2. You should use that over just a hash.
Even better, implement a Security Through Obesity plan. Thom McGrath wrote up a nice summary here.[/quote]
I have successfully used Thoms method here and it works a treat.
After reading through several articles regarding passwords, storage, handling etc, it seems to fulfill most of the recommended methods quite nicely!
Recent articles on the Sony malware report that the company kept passwords in a folder called, with fiendish subtlety, “passwords”.
Perhaps I should revise my policy of keeping personal data in a plain text file called “UncryptedPersonalDataIncludingPasswordsPersonalHygieneHabitsAndCreditCardDetails.txt”
That should read “…Sony malware attack…” (what happened to the edit facility?)
Edit works only when not needed 
The forum creates a hash from your post once you submit, hence unable to retrieve the original text again 